Windows Defender is Microsoft's real-time anti-spyware and unwanted pest detection and removal tool. Best of all, it's free. Windows Defender was originally created, and bought from, a company called Giant Company Software. It was completely rewritten and enhanced by Microsoft, and released as an extended beta download for Windows 2000 and above. Windows Defender is installed by default in Vista, and is available in 32-and 64-bit versions.
Windows Defender is installed as a service with an end user accessible front end. Unless configured otherwise, Windows Defender actively runs in memory, but doesn't make a noticeable appearance unless a potentially unwanted program is detected. End users can decide whether or not Windows Defender places an icon on the task bar, although users can always access it through the Control Panel or Security Center.
Windows Defender is integrated with an online community called SpyNet. If a user chooses to participate, their own personal choices when dealing with spyware and other unwanted programs are uploaded to SpyNet, and used to create a larger online reference database. The shared database is used by Microsoft to detect new forms of spyware, and to recommend treatment advice to existing users based upon the overall community's choices.
Both administrators and non-administrators can benefit from the Windows Defender's protection. Users do not have to be administrators to run software scans or to remove unwanted programs. It scans all downloads arriving via Internet Explorer version 6 and above, via Outlook, and is able to perform on-demand scans of local media (see Figure 1). Its real-time protection can prevent unwanted programs from being executed and installed anywhere within Vista (an example warning is shown in Figure 2).
Figure 1: Windows Defender performing a scan
Figure 2: A Windows Defender warning
Real-time protection can be set granularly. A user can choose whether to enable real-time scanning on the following areas:
Internet Explorer (add-ons, settings, downloads)
Application Execution (and registration)
Windows Defender's software agents provide the real-time protection. They monitor, using the Msmpeng.exe or Msascui.exe processes, over a 100 computer locations, including autorun areas, startup folders, registry keys, and system settings. You identify the areas to be monitored by enabling or enabling the various real-time protection options, which you can see in the preceding list.
Windows Defender can automatically scan at a predetermined daily or weekly interval (see Figure 3). Quick scans can be initiated, checking only the most common areas for spyware and pest programs, or a full-scan can be done. Windows Defender checks for updated definitions just before scanning, and new spyware definitions are automatically downloaded using Automatic Updates.
Figure 3: Windows Defender can be configured to run scheduled scans.
The user can be prompted to remove, ignore, or quarantine detected software, or, as shown in Figure 3, the user can configure Windows Defender to choose a default option automatically.
Windows Defender will look for spyware, adware, pest programs, and other programs reported by Microsoft and the Windows Defender SpyNet community. Windows Defender can even notify Administrators, in the event log, about changes made to a computer by previously allowed software (see Figure 4).
Figure 4: Windows Defender can log to the event log when it detects changes.
Windows Defender also includes heuristic detection for previously unknown pest programs (Figure 5 shows the option setting). It can scan inside a few of the common archive file formats (for example, zip files). Best of all, Windows Defender can create a restore point before removing unwanted software, just in case its actions break a legitimate application or delete needed content. However, the current version of Windows Defender does not scan for browser cookies, which are often used by spyware and adware to track a user's online browsing activities.
Figure 5: Windows Defender can perform heuristic scanning as well.
Windows Defender includes a Software Explorer feature (see Figure 6) that can reveal currently running programs, auto-starting programs, network connected programs, or currently installed Winsock Service Providers. As welcomed as this feature is, it doesn't come close to the detection accuracy and ease of use provided by the Autoruns tool (http://www.sysinternals.com/Utilities/Autoruns.html).
Figure 6: Windows Defender gives information on startup programs.
Sysinternals was bought by Microsoft in July 2006, so now Autoruns is a Microsoft tool.
However, the Software Explorer feature does provide a quick way to document the processes running under Svchost.exe. Svchost is a generic hosting process for many other Windows services. It is not unusual for multiple instances to be running. When troubleshooting malware or performance problems, it can be helpful to know what services are running under each instance of Svchost. The Windows Defender Software Explorer can reveal the details. In Windows Defender, choose Tools, Software Explorer. Then choose Currently Running Programs. Highlight the Microsoft Host Process for Windows Services (called Microsoft Generic Host Process in earlier versions), and it will reveal what programs (see Figure 6) are running under each instance of Svchost.exe.
Figure 6: One of the best features of Windows Defender is that it gives you insight into the processes inside an Svchost.
Although Windows Defender is free, there is no centralized management console for deploying and managing in a large enterprise. Microsoft has made a custom administrative template file available so that Windows Defender can be managed using Active Directory group policy. In a future product called ForeFront, Microsoft will introduce manageability for Windows Defender-like functionality.
Windows Defender's accuracy has had its ups and downs. When it was first released, several publications ranked it in the top three anti-spyware programs in terms of accuracy. However, as of late 2006, Windows Defender is consistently ranked as having one of the poorest accuracy ratings by most anti-spyware reviewers. This is mostly due to the fact that Microsoft has intentionally made the decision for Windows Defender not to scan for, or to remove, unwanted browser cookies.
Spyware-and adware-based browser cookies are the most common type of unwanted content found by most anti-spyware tools. Microsoft chose not to detect or remove them because they are always low priority threats (that is, at most all they can do is track your Internet browser activities when visiting participating Web sites). Most anti-spyware programs choose to include, and remove them, because they spike their detection statistics. It is not unusual for hundreds to thousands of spyware-based cookies to be detected on a normal computer. If this single detection factor was removed from all the review rankings, Windows Defender would compare much more favorably to its competition.
Although the authors of this book wish that Windows Defender had the option to scan for unwanted browser cookies, and let the end users make the cookie detection decision, Windows Defender otherwise provides solid value to consumers. It will protect users from many critical threats. We encourage you to make individual decisions as to the desirability of this feature. This is yet another area where the security vendors (and the press) have attempted to spike statistics to show value that may or may not be there for a particular customer.
Windows Defender will be integrated tightly with Microsoft's Windows Live OneCare subscription service.